You are here: Home/Archistry Daily/ Technological or biological, it still all boils down to access control

April 15, 2020

Technological or biological, it still all boils down to access control

My wife showed me a really cool video today summarizing a lot of pretty heavy information about COVID-19. If you don’t want to read the rest of today’s email and simply watch the video, that’s fine[1]. I think it’s excellent, and we can talk about more security stuff tomorrow.

Otherwise, let’s get on with it.

There’s a lot you can learn from this video on so many levels—not the least of which is how to turn 31 A4 pages of reference materials into an 8 and a half minute video. Because the purpose of what we need to do in security is to summarize, explain, inform, educate, and provide plausible confidence that we understand what we’re doing and things are under control. Or, if they aren’t, that we know how much not under control they happen to be, and, oh, by the way…

…here’s our plan for sorting it out.

Now, having warped my brain over the last 14 years to see the world through the lens of the core SABSA concepts, one of the first things that jumped out at me when I watched this – which, admittedly had been brewing in the back of my brain for a couple of days now – is what lead to the subject of today’s email.

I’ve talked about this before a couple of times in the last 6 months or so, but one of the reasons I think it’s so easy for security people to get divorced from the organizations we protect is that, when you tear away all the rest of it, at the end of the day, all we really have in our arsenal are two very closely related things:

Awareness of the threats we face, and

The access control mechanisms we have available.

And our goal in all this is pretty binary: keep the bad things “outside” through well-considered control implementations.

Sure, it gets all complicated and nuanced and we often do a really bad job of identifying the boundaries that are important because our thinking is limited by the resources, technology and information we have available to us. But, those two factors are what matter most.

Unfortunately, we tend to take a pretty technology-centric view of both of those factors, and then we slip into the “more is better” mantra that gets us into trouble because the degree of “locked-ness” is generally the inverse of the degree of usability. And when we fail to vamp on those two things sufficiently to understand the context and capabilities we have in the big picture to deal with the minutiae of the individual machines, that’s were we lose our way and start earning our bad reputation of Security as Killjoy the Business Blocker.

So, back to the video. At about 50 seconds in, it starts talking about how the coronavirus spreads, and unless you’ve been under a rock, that is generally through droplets containing he virus escaping from an infected person and coming in contact with a non-infected person.

Normally, this is through the exchange of bodily fluids like spit, snot, and mucus expelled through sneezing, coughing…or, like the mask-wearing asshat on the tube now with a warrant out for his arrest, by smearing your spit on the hand rails of the metro. Of course, I’m guessing the excretions of the arse end of the ape are also likely conduits for transmission since these have been proven to be the case in the past.

The problem we need to solve for avoiding the transmission of the coronavirus is actually the same problem we need to solve in our more mundane – and decidedly less pandemic-y – day-to-day security work. We have to understand the context, we need to build an architecture to help us understand what our exposure really is, and then we need to apply a set of available controls to prevent those risks from materializing.

And we can do all this with SABSA domains and the basic rules you get from The Blue Book or Foundation.

Two independent domains represent the two bodies. One’s infected, and one isn’t.

According to the laws of domains, each independent domain manages its own access control through the domain boundary. In our case, we have 3 main gateways to worry about:

The eyes

The nose, and

The mouth.

However, one of the “features” of the domain boundary that is our body is that we have these two appendages that move around the place—our hands. So we can almost think of them as a communication service between the outside world and inside our domain (body). The environment in which the two humans interact is a containing superdomain, and it too has some communications services like air that allow information to pass between elements in it.

So the most direct potential controls you can apply to manage the access between what’s outside and inside your domain of interest (our body) is to directly and explicitly manage the ability of the air to interact with those explicit service interfaces we expose through our eyes, nose and mouth. That means:

We wear goggles or glasses to cover our eyes.

We wear a mask to cover our nose and mouth.

And if we do this, we’re effectively managing the interaction between those two domains—assuming we’ve selected the right control vendors that actually deliver our requirements.

However…our customer (us) says that this set of controls is too restrictive for whatever they want to do—like maybe eat something.

So, we need to take a step back and re-evaluate our options. We understand our environment, we’ve mapped out the domains, and we’ve established some boundaries.

Once we’ve done this, we can see what other kinds of options and constraints we can twiddle to see how well we can meet the needs of our customer.

So “social distancing” with 1m between people who are coughing and sneezing. That’s a potential control, but it’s not one we can always directly manage. This is fine, because it’s the #2 of the things we ultimately have to work with. However, if we fail to completely understand #1 and how they interact with our ability to manage #2, we could easily find ourselves relying on our “social distancing” control right up to the point where we hop onto the tube and end up inadvertently massaging someone’s prostrate with our laptop bag.

If we can’t reliably manage those controls, and the most direct controls aren’t acceptable to the customer, then we need to find another way. We can secure the communications channel we manage between the outside world and the inside by:

Washing our hands—a lot, and using sanitizer where we can (assuming you can find any)

However, in relying on those controls, we need to understand that we’re actually asking people to change their behavior—just like we are with social distancing…

…and just like we are with many of our organizational security controls.

And, psychology says…behavior change is hard.

Recognizing this, we bring in bigger guns, in an even wider context:

We self-quarantine.

And when that doesn’t work, we enforce quarantine—maybe like the €30,000 fines like in Spain.

And when that doesn’t work (or maybe as an attempt to prevent that from being necessary), we draw more boxes at the local, territory and national level where we try and enforce our access control mechanisms at each boundary we either physically or logically create.

I could go on, but I think you get the idea here.

One of the reasons we’re failing to manage this pandemic isn’t because we weren’t ready with our BC/DR plans. It’s because we didn’t think through the problem. And, given that we’re working in a global network of siloed decision-making down to ultimately each individual living on the planet…

…thinking we can keep everyone safe without a model…dare I say an architecture…that was well defined, clearly communicated and consistently used to coordinate an objective and reasonable response…

…makes about as much sense as trying to do security in our organizations solely based on “best practices”, foxy frameworks and standardized controls sprinkled around the place like toilet paper the morning after Halloween.

Without structure to our thinking – and without a way to document and communicate the structure behind our thinking – there’s only one outcome:

We fail.

My hope is that we’re going to learn from this, and we’re going to be able to understand and analyze after the fact how everything is connected, and everything fits together in this complex, globally-interconnected world we live in today.

At the very least, I hope it underscores the importance of actually understanding the architectures you have in your organization. Because without that understanding, you’re worse than flying blind. Far too often, all you can do is guess.

What I want you to take away from today’s email – which admittedly ended up being a bit heavier than I’d originally intended – is simply this: everything has an architecture. It’s the degree to which you understand what that architecture is and how its elements interact that determines how successful you’ll ultimately be in getting what you want—whether that’s managing a global pandemic or simply being able to continue delighting your customers.

If you want to think more deeply about this and how you’re doing it in your organization, I might be able to help. I’ve no idea, because there’s too many variables that, right now, I couldn’t begin to guess. What I do know is that I’ve been able to do it for other people, both large and small, for the last several years. If you want to talk about it, here’s the link to make that happen:

This stuff we’re going through right now is pretty serious, and not everyone is taking it as seriously as they should—especially depending on where in the world you actually are. And, much like our own, isolated world of information and cybersecurity, you won’t often know you’ve been impacted until it’s already happened.

However, in this case, we do know what to do—as long as we pay attention to what’s happening around us. And we know it works. We just need to make it happen.

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

Your nameYour best email

I understand and agree that when I sign up above, I will be added to a marketing mailing list where I will receive DAILY security leadership tips and promotional offers from Andrew S. Townley according to the terms of Archistry's privacy policy and site terms and conditions.

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems
architect and consultant, which in my view is a rare thing. He is
innovative in his thinking and merits the title of 'thought
leader' in his specialist domains of knowledge—in particular the
management of risk. Andrew has embraced SABSA as a framework and,
in doing so, has been a significant contributor to extending the
SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely
good technical knowledge with ability to relate concepts together and
overcome differing opinions. Makes things work."

"Andrew was able to bring clarity and great depth of knowledge to the
table. His breadth of thinking and understanding of the business
and technical issues along with a clear and effective
communication style were of great benefit in moving the process
forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply
enjoy listening to, as he manages to develop highly sophisticated
subjects in very understandable way. His experience is actually
surprising and his thoughts leave you without considerable
arguments for any doubts in the subjects he covers."